Add a checker for signature boundary in verifier
The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
This commit is contained in:
@@ -155,4 +155,5 @@ INSTANTIATE_TEST_CASE_P(BadPackage, VerifierFailureTest,
|
||||
std::vector<std::string>({"random.zip", "v1"}),
|
||||
std::vector<std::string>({"fake-eocd.zip", "v1"}),
|
||||
std::vector<std::string>({"alter-metadata.zip", "v1"}),
|
||||
std::vector<std::string>({"alter-footer.zip", "v1"})));
|
||||
std::vector<std::string>({"alter-footer.zip", "v1"}),
|
||||
std::vector<std::string>({"signature-boundary.zip", "v1"})));
|
||||
|
||||
BIN
Binary file not shown.
@@ -147,6 +147,12 @@ int verify_file(unsigned char* addr, size_t length,
|
||||
LOG(INFO) << "comment is " << comment_size << " bytes; signature is " << signature_start
|
||||
<< " bytes from end";
|
||||
|
||||
if (signature_start > comment_size) {
|
||||
LOG(ERROR) << "signature start: " << signature_start << " is larger than comment size: "
|
||||
<< comment_size;
|
||||
return VERIFY_FAILURE;
|
||||
}
|
||||
|
||||
if (signature_start <= FOOTER_SIZE) {
|
||||
LOG(ERROR) << "Signature start is in the footer";
|
||||
return VERIFY_FAILURE;
|
||||
|
||||
Reference in New Issue
Block a user